Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Alibaba, Tencent 보안 그룹 기능(룰 추가 / 룰 삭제) 보완 #626

Merged
merged 6 commits into from
May 4, 2022
Merged

Alibaba, Tencent 보안 그룹 기능(룰 추가 / 룰 삭제) 보완 #626

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
340655a
tencent security outbound default all open
choryang Apr 29, 2022
b0e5665
update tencent security handler(outbound all open)
choryang May 3, 2022
41b0d72
Tencent 보안 그룹 생성 시 outbound all open
MZC-CSC May 3, 2022
9ecfe88
pr test
choryang May 3, 2022
65ca7d5
update security handler (AddRules/RemoveRules)
choryang May 4, 2022
2ec2ac9
Alibaba, Tencent 보안 그룹 기능(룰 추가 / 룰 삭제) 보완
MZC-CSC May 4, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
137 changes: 128 additions & 9 deletions cloud-control-manager/cloud-driver/drivers/alibaba/resources/SecurityHandler.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ package resources
import (
"errors"
"strings"
"encoding/json"

"github.com/aliyun/alibaba-cloud-sdk-go/services/ecs"
call "github.com/cloud-barista/cb-spider/cloud-control-manager/cloud-driver/call-log"
Expand All @@ -26,6 +27,13 @@ type AlibabaSecurityHandler struct {
Client *ecs.Client
}

type RuleAction string

const (
Add RuleAction = "Add"
Remove RuleAction = "Remove"
)

func (securityHandler *AlibabaSecurityHandler) CreateSecurity(securityReqInfo irs.SecurityReqInfo) (irs.SecurityInfo, error) {
cblogger.Infof("securityReqInfo : ", securityReqInfo)
//spew.Dump(securityReqInfo)
Expand Down Expand Up @@ -101,17 +109,37 @@ func (securityHandler *AlibabaSecurityHandler) CreateSecurity(securityReqInfo ir
// - function name 변경 : AuthorizeSecurityRules to AddRules
//func (securityHandler *AlibabaSecurityHandler) AuthorizeSecurityRules(securityGroupId string, vpcId string, securityRuleInfos *[]irs.SecurityRuleInfo) (*[]irs.SecurityRuleInfo, error) {
//func (securityHandler *AlibabaSecurityHandler) AuthorizeSecurityRules(securityGroupId string, securityRuleInfos *[]irs.SecurityRuleInfo) (*[]irs.SecurityRuleInfo, error) {
func (securityHandler *AlibabaSecurityHandler) AddRules(securityIID irs.IID, securityRules *[]irs.SecurityRuleInfo) (irs.SecurityInfo, error) {
func (securityHandler *AlibabaSecurityHandler) AddRules(securityIID irs.IID, reqSecurityRules *[]irs.SecurityRuleInfo) (irs.SecurityInfo, error) {
securityGroupId := securityIID.SystemId
cblogger.Infof("securityGroupId : [%s] / securityRuleInfos : [%v]", securityGroupId, securityRules)
cblogger.Infof("securityGroupId : [%s] / securityRuleInfos : [%v]", securityGroupId, reqSecurityRules)
//cblogger.Info("AuthorizeSecurityRules ", securityRuleInfos)
spew.Dump(securityRules)
spew.Dump(reqSecurityRules)

if len(*securityRules) < 1 {
if len(*reqSecurityRules) < 1 {
return irs.SecurityInfo{}, errors.New("invalid value - The SecurityRules to add is empty")
}

for _, curRule := range *securityRules {
presentRules, presentRulesErr := securityHandler.ExtractSecurityRuleInfo(securityGroupId)
if presentRulesErr != nil {
cblogger.Error(presentRulesErr)
return irs.SecurityInfo{}, presentRulesErr
}

checkResult := sameRulesCheck(&presentRules, reqSecurityRules, Add)
cblogger.Infof("checkResult: [%v]", checkResult)
if checkResult != nil {
errorMsg := ""
for _, rule := range *checkResult {
jsonRule, err := json.Marshal(rule)
if err != nil {
cblogger.Error(err)
}
errorMsg += string(jsonRule)
}
return irs.SecurityInfo{}, errors.New("invalid value - "+ errorMsg +" already exists!")
}

for _, curRule := range *reqSecurityRules {
if strings.EqualFold(curRule.Direction, "inbound") {
request := ecs.CreateAuthorizeSecurityGroupRequest()
request.Scheme = "https"
Expand Down Expand Up @@ -159,15 +187,37 @@ func (securityHandler *AlibabaSecurityHandler) AddRules(securityIID irs.IID, sec

// If the security group rule to be deleted does not exist, the RevokeSecurityGroup operation succeeds but no rule is deleted.
//func (securityHandler *AlibabaSecurityHandler) RevokeSecurityRules(securityGroupId string, securityRuleInfos *[]irs.SecurityRuleInfo) (*[]irs.SecurityRuleInfo, error) {
func (securityHandler *AlibabaSecurityHandler) RemoveRules(securityIID irs.IID, securityRuleInfos *[]irs.SecurityRuleInfo) (bool, error) {
func (securityHandler *AlibabaSecurityHandler) RemoveRules(securityIID irs.IID, reqSecurityRules *[]irs.SecurityRuleInfo) (bool, error) {
securityGroupId := securityIID.SystemId
cblogger.Infof("securityGroupId : [%s] / securityRuleInfos : [%v]", securityGroupId, securityRuleInfos)
spew.Dump(securityRuleInfos)
cblogger.Infof("securityGroupId : [%s] / securityRuleInfos : [%v]", securityGroupId, reqSecurityRules)
spew.Dump(reqSecurityRules)

presentRules, presentRulesErr := securityHandler.ExtractSecurityRuleInfo(securityGroupId)
if presentRulesErr != nil {
cblogger.Error(presentRulesErr)
return false, presentRulesErr
}

checkResult := sameRulesCheck(&presentRules, reqSecurityRules, Remove)
cblogger.Infof("checkResult: [%v]", checkResult)
if checkResult != nil {
errorMsg := ""
for _, rule := range *checkResult {
jsonRule, err := json.Marshal(rule)
if err != nil {
cblogger.Error(err)
}
errorMsg += string(jsonRule)
}
return false, errors.New("invalid value - "+ errorMsg +" does not exist!")
}


// "cidr": "string",
// "fromPort": "string",
// "ipprotocol": "string",
// "toPort": "string"
for _, curRule := range *securityRuleInfos {
for _, curRule := range *reqSecurityRules {
if strings.EqualFold(curRule.Direction, "inbound") {
// 3가지 case중 1번 사용.
// SourceGroupId : The ID of the source security group
Expand Down Expand Up @@ -443,4 +493,73 @@ func (securityHandler *AlibabaSecurityHandler) DeleteSecurity(securityIID irs.II
cblogger.Info(response)
cblogger.Infof("Successfully delete security group %q.", securityIID.SystemId)
return true, nil
}

// 동일한 rule이 있는지 체크
// RuleAction이 Add면 중복인 rule 리턴, Remove면 없는 rule 리턴
func sameRulesCheck(presentSecurityRules *[]irs.SecurityRuleInfo, reqSecurityRules *[]irs.SecurityRuleInfo, action RuleAction) (*[]irs.SecurityRuleInfo) {
var checkResult []irs.SecurityRuleInfo
cblogger.Infof("presentSecurityRules: [%v] / reqSecurityRules: [%v]", presentSecurityRules, reqSecurityRules)
for _, reqRule := range *reqSecurityRules {
hasFound := false
reqRulePort := ""
if reqRule.FromPort == "" {
reqRulePort = reqRule.ToPort
} else if reqRule.ToPort == "" {
reqRulePort = reqRule.FromPort
} else if reqRule.FromPort == reqRule.ToPort {
reqRulePort = reqRule.FromPort
} else {
reqRulePort = reqRule.FromPort + "-" + reqRule.ToPort
}

if strings.EqualFold(reqRule.Direction, "inbound") {
reqRule.Direction = "ingress"
} else if strings.EqualFold(reqRule.Direction, "outbound") {
reqRule.Direction = "egress"
}

for _, present := range *presentSecurityRules {
presentPort := ""
if present.FromPort == "" {
presentPort = present.ToPort
} else if present.ToPort == "" {
presentPort = present.FromPort
} else if present.FromPort == present.ToPort {
presentPort = present.FromPort
} else {
presentPort = present.FromPort + "-" + present.ToPort
}

if !strings.EqualFold(reqRule.Direction, present.Direction) {
continue
}
if !strings.EqualFold(reqRule.IPProtocol, present.IPProtocol) {
continue
}
if !strings.EqualFold(reqRulePort, presentPort) {
continue
}
if !strings.EqualFold(reqRule.CIDR, present.CIDR) {
continue
}

if action == Add {
checkResult = append(checkResult, reqRule)
}
hasFound = true
break
}

// Remove일때는 못 찾아야 append
if action == Remove && !hasFound {
checkResult = append(checkResult, reqRule)
}
}

if len(checkResult) > 0 {
return &checkResult
}

return nil
}
Loading